diff --git a/pkg/service/controller.go b/pkg/service/controller.go index 0f9722c..3b0e012 100644 --- a/pkg/service/controller.go +++ b/pkg/service/controller.go @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Oracle and/or its affiliates. + * Copyright (c) 2021, 2022, Oracle. * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ */ @@ -44,7 +44,7 @@ func (zd *ZFSSADriver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRe if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) // Validate the parameters if err := validateCreateVolumeReq(ctx, token, req); err != nil { @@ -181,7 +181,7 @@ func (zd *ZFSSADriver) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRe if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) volumeID := req.GetVolumeId() if len(volumeID) == 0 { @@ -249,7 +249,7 @@ func (zd *ZFSSADriver) ControllerPublishVolume(ctx context.Context, req *csi.Con if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) zvol, err := zd.lookupVolume(ctx, token, volumeID) if err != nil { @@ -280,7 +280,7 @@ func (zd *ZFSSADriver) ControllerUnpublishVolume(ctx context.Context, req *csi.C if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) zvol, err := zd.lookupVolume(ctx, token, volumeID) if err != nil { @@ -317,7 +317,7 @@ func (zd *ZFSSADriver) ValidateVolumeCapabilities(ctx context.Context, req *csi. if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) zvol, err := zd.lookupVolume(ctx, token, volumeID) if err != nil { @@ -409,7 +409,7 @@ func (zd *ZFSSADriver) GetCapacity(ctx context.Context, req *csi.GetCapacityRequ if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) parameters := req.GetParameters() projectName, ok := parameters["project"] @@ -487,7 +487,7 @@ func (zd *ZFSSADriver) CreateSnapshot(ctx context.Context, req *csi.CreateSnapsh if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) zsnap, err := zd.newSnapshot(ctx, token, snapName, sourceId) if err != nil { @@ -514,7 +514,7 @@ func (zd *ZFSSADriver) DeleteSnapshot(ctx context.Context, req *csi.DeleteSnapsh if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) // Get exclusive access to the snapshot. zsnap, err := zd.lookupSnapshot(ctx, token, req.SnapshotId) @@ -566,7 +566,7 @@ func (zd *ZFSSADriver) ListSnapshots(ctx context.Context, req *csi.ListSnapshots if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) var entries []*csi.ListSnapshotsResponse_Entry @@ -646,7 +646,7 @@ func (zd *ZFSSADriver) ControllerExpandVolume(ctx context.Context, req *csi.Cont if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) zvol, err := zd.lookupVolume(ctx, token, volumeID) if err != nil { diff --git a/pkg/service/identity.go b/pkg/service/identity.go index 4838bb1..c3b318e 100644 --- a/pkg/service/identity.go +++ b/pkg/service/identity.go @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Oracle and/or its affiliates. + * Copyright (c) 2021, 2022, Oracle. * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ */ @@ -69,7 +69,7 @@ func (zd *ZFSSADriver) Probe(ctx context.Context, req *csi.ProbeRequest) ( if err != nil { return nil, grpcStatus.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) _, err = zfssarest.GetServices(ctx, token) if err != nil { return &csi.ProbeResponse{ diff --git a/pkg/service/node.go b/pkg/service/node.go index f1d6ef8..db50fc2 100644 --- a/pkg/service/node.go +++ b/pkg/service/node.go @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Oracle and/or its affiliates. + * Copyright (c) 2021, 2022, Oracle. * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ */ @@ -165,7 +165,7 @@ func (zd *ZFSSADriver) NodePublishVolume(ctx context.Context, req *csi.NodePubli if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) var mountOptions []string if req.GetReadonly() { @@ -217,7 +217,7 @@ func (zd *ZFSSADriver) NodeUnpublishVolume(ctx context.Context, req *csi.NodeUnp if err != nil { return nil, status.Error(codes.Unauthenticated, "Invalid credentials") } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) if zVolumeId.IsBlock() { return zd.nodeUnpublishBlockVolume(ctx, token, req, zVolumeId) } else { diff --git a/pkg/service/volumes.go b/pkg/service/volumes.go index f68525e..ecd5bd9 100644 --- a/pkg/service/volumes.go +++ b/pkg/service/volumes.go @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Oracle and/or its affiliates. + * Copyright (c) 2021, 2022, Oracle. * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ */ @@ -435,7 +435,7 @@ func (zd *ZFSSADriver) updateFilesystemList(ctx context.Context, out chan<- erro if err != nil { out <- err } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) fsList, err := zfssarest.GetFilesystems(ctx, token, "", "") if err != nil { utils.GetLogCTRL(ctx, 2).Println("zd.updateFilesystemList failed", "error", err.Error()) @@ -461,7 +461,7 @@ func (zd *ZFSSADriver) updateLunList(ctx context.Context, out chan<- error) { if err != nil { out <- err } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) lunList, err := zfssarest.GetLuns(ctx, token, "", "") if err != nil { @@ -520,7 +520,7 @@ func (zd *ZFSSADriver) updateSnapshotList(ctx context.Context) error { return err } - token := zfssarest.LookUpToken(user, password) + token := zfssarest.LookUpToken(ctx, user, password) snapList, err := zfssarest.GetSnapshots(ctx, token, "") if err != nil { utils.GetLogCTRL(ctx, 2).Println("zd.updateSnapshotList failed", "error", err.Error()) diff --git a/pkg/zfssarest/zfssa_rest.go b/pkg/zfssarest/zfssa_rest.go index 46d5c13..87a6029 100644 --- a/pkg/zfssarest/zfssa_rest.go +++ b/pkg/zfssarest/zfssa_rest.go @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Oracle and/or its affiliates. + * Copyright (c) 2021, 2022, Oracle. * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ */ @@ -56,7 +56,6 @@ const ( zProperty = zProperties + "/%s" ) -// State of a ZFSSA token const ( zfssaTokenInvalid = iota zfssaTokenCreating @@ -128,10 +127,13 @@ func InitREST(name string, certs []byte, secure bool) error { // Looks up a token context based on the user name passed in. If one doesn't exist // yet, it is created. -func LookUpToken(user, password string) *Token { - +func LookUpToken(ctx context.Context, user, password string) *Token { tokens.mtx.Lock() if token, ok := tokens.list[user]; ok { + if password != "" && password != token.password { + utils.GetLogREST(ctx, 2).Println("Target ZFSSA password updated for session") + token.password = password + } tokens.mtx.Unlock() return token } @@ -173,11 +175,12 @@ func getToken(ctx context.Context, token *Token, previous *string) (string, erro switch token.state { case zfssaTokenInvalid: // No token available. We create one. + utils.GetLogREST(ctx, 2).Println("Creating new ZFSSA session for token") token.state = zfssaTokenCreating token.mtx.Unlock() var err error - token.xAuthSession, token.xAuthName, err = createToken(ctx, token) + token.xAuthSession, token.xAuthName, err = createZfssaSession(ctx, token) xAuthSession := token.xAuthSession token.mtx.Lock() @@ -202,6 +205,7 @@ func getToken(ctx context.Context, token *Token, previous *string) (string, erro token.mtx.Unlock() return xAuthSession, nil } + utils.GetLogREST(ctx, 2).Println("ZFSSA session transitioning to invalid") token.state = zfssaTokenInvalid continue @@ -211,11 +215,11 @@ func getToken(ctx context.Context, token *Token, previous *string) (string, erro } } -// Send an HTTP request to the ZFSSA to create a non-persistent token. +// Send an HTTP request to the ZFSSA to create a non-persistent, reusable session. // // A non-persistent token is specific to the cluster node on which the ID was // created and is not synchronized between the cluster peers. -func createToken(ctx context.Context, token *Token) (string, string, error) { +func createZfssaSession(ctx context.Context, token *Token) (string, string, error) { httpReq, err := http.NewRequest("POST", zServicesURL, bytes.NewBuffer(nil)) if err != nil { @@ -325,6 +329,7 @@ func makeRequest(ctx context.Context, token *Token, method, url string, reqbody // We check here whether the token may have expired and renew it if needed. if rsphttp.StatusCode == http.StatusUnauthorized { + // Refresh token and secret _, err = getToken(ctx, token, &xAuthSession) return nil, http.StatusUnauthorized, err }